5 Syria: Protest singer Ibrahim Kashoush had his throat cut Four days later, his body was found dumped in the Assi River (also spelled: Isa River), with a big, open and bloody wound in his neck where his adam s apple and voice chord had been removed. A clear message to those who dare to raise their voice against the Syrian President Bashar al-assad. Yalla Erhal Ya Bashar (It s time to leave, Bashar), demanding an end to President Bashar al-assads regime. https://www.youtube.com/watch?v=nox6svyhbyk c license CC BY Solido Networks, Henrik Lund Kramshøj 5

9 Why think of security? Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn t want the whole world to know, but a secret matter is something one doesn t want anybody to know. Privacy is the power to selectively reveal oneself to the world. A Cypherpunk s Manifesto by Eric Hughes, 1993 Copied from https://cryptoparty.org/wiki/cryptoparty c license CC BY Solido Networks, Henrik Lund Kramshøj 9

10 Security is not magic. Think security, it may seem like magic - but it is not Follow news about security Support communities, join and learn c license CC BY Solido Networks, Henrik Lund Kramshøj 10

12 Face reality From the definition: suspicion and mistrust of people or their actions without evidence or justification. the global paranoia about hackers and viruses It is not paranoia when: Criminals sell your credit card information and identity theft Trade infected computers like a commodity Governments write laws that allows them to introduce back-doors - and use these Governments do blanket surveillance of their population Governments implement censorship, threaten citizens and journalist You are not paranoid when there are people actively attacking you! c license CC BY Solido Networks, Henrik Lund Kramshøj 12

16 Trading in infected computers Botnets and malware today sold as SaaS with support contracts and updates Todays offer trojans Buy 2 pay for one Fresh botnets Fresh phish infected within the last week Support agreement trojan support , IRC, IM Pay using credit card Malware programmers do better support than regular software companies Buy this version and get a year of updates free Rent our botnet with 100,000 by the hour c license CC BY Solido Networks, Henrik Lund Kramshøj 16

17 Government back-doors What if I told you: Governments will introduce back-doors Intercepting encrypted communications with fake certificates - check May 5, 2011 A Syrian Man-In-The-Middle Attack against Facebook Yesterday we learned of reports that the Syrian Telecom Ministry had launched a manin-the-middle attack against the HTTPS version of the Facebook site. Source: https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook Mapping out social media and finding connections - check c license CC BY Solido Networks, Henrik Lund Kramshøj 17

19 Spearphishing - targetted attacks Spearphishing - targetted attacks directed at specific individuals or companies Use 0-day vulnerabilities only in a few places Create backdoors and mangle them until not recognized by Anti-virus software Research and send to those most likely to activate program, open file, visit page Stuxnet is an example of a targeted attack using multiple 0-day vulns c license CC BY Solido Networks, Henrik Lund Kramshøj 19

22 UK: Seize smart phones and download data Officers use counter-terrorism laws to remove a mobile phone from any passenger they wish coming through UK air, sea and international rail ports and then scour their data. The blanket power is so broad they do not even have to show reasonable suspicion for seizing the device and can retain the information for as long as is necessary. Data can include call history, contact books, photos and who the person is texting or ing, although not the contents of messages. Source: c license CC BY Solido Networks, Henrik Lund Kramshøj 22

23 UK wouldn t seize data like that, you are lying (Reuters) - British authorities came under pressure on Monday to explain why anti-terrorism powers were used to detain for nine hours the partner of a journalist who has written articles about U.S. and British surveillance programs based on leaks from Edward Snowden. Brazilian David Miranda, the partner of American journalist Glenn Greenwald, was detained on Sunday at London s Heathrow Airport where he was in transit on his way from Berlin to Rio de Janeiro. He was released without charge. Source: c license CC BY Solido Networks, Henrik Lund Kramshøj 23

24 Skype is insecure August 7, 2013 Restoring Trust in Government and the Internet In July 2012, responding to allegations that the video-chat service Skype owned by Microsoft was changing its protocols to make it possible for the government to eavesdrop on users, Corporate Vice President Mark Gillett took to the company s blog to deny it. Turns out that wasn t quite true. So Skype owned by Microsoft is not trustworthy - stop the presses! Source: c license CC BY Solido Networks, Henrik Lund Kramshøj 24

25 Government backdoors is not news Nothing new really, see for example D.I.R.T and Magic Lantern D.I.R.T - Data Interception by Remote Transmission since the late 1990s They will always use Le mal du jour to increase monitoring c license CC BY Solido Networks, Henrik Lund Kramshøj 25

26 Government monitoring is not news FBI Carnivore... that was designed to monitor and electronic communications. It used a customizable packet sniffer that can monitor all of a target user s Internet traffic. http: //en.wikipedia.org/wiki/carnivore_(software) NarusInsight Narus provided Egypt Telecom with Deep Packet Inspection equipment, a content-filtering technology that allows network managers to inspect, track and target content from users of the Internet and mobile phones, as it passes through routers on the information superhighway. Other Narus global customers include the national telecommunications authorities in Pakistan and Saudi Arabia,... c license CC BY Solido Networks, Henrik Lund Kramshøj 26

27 Denmark Even Denmark which is considered a peaceful democracy has allowed this to go TO FAR Danish police and TAX authorities have the legals means, even for small tax-avoidance cases, see Rockerloven Danish TAX authorities have legal means to go into your property to catch builders working for cash and not reporting tax income In both criminal and piracy cases we see a lot of extraneous equipment seized Danish prime minister Helle Thorning-Schmidt does NOT criticize the USA In fact the party Social Democrats are often pushing further surveillance c license CC BY Solido Networks, Henrik Lund Kramshøj 27

30 A vulnerability can and will be abused What if I told you: Criminals will be happy to leverage backdoors created by government It does not matter if the crypto product has a weakness to allow investigations or the software has a backdoor to help law enforcement. Data and vulnerabilities WILL be abused and exploited. c license CC BY Solido Networks, Henrik Lund Kramshøj 30

32 Hacker types anno 2008 Lisbeth Salander from the Stieg Larsson s award-winning Millennium series does research about people using hacking as a method to gain access How can you find information about people? c license CC BY Solido Networks, Henrik Lund Kramshøj 32

33 From search patterns to persons First identify some basic information Use search patterns like from to full name Some will give direct information about target Others will point to intermediary information, domain names Pivot and redo searching when new information bits are found What information is public? (googledorks!) c license CC BY Solido Networks, Henrik Lund Kramshøj 33

55 Suricata IDS/IPS/NSM Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF and its supporting vendors. c license CC BY Solido Networks, Henrik Lund Kramshøj 55

56 Netflow Netflow is getting more important, more data share the same links Accounting is important Detecting DoS/DDoS and problems is essential Netflow sampling is vital information - 123Mbit, but what kind of traffic We use mostly NFSen, but are looking at various software packages Currently also investigating sflow - hopefully more fine grained c license CC BY Solido Networks, Henrik Lund Kramshøj 56

69 Are passwords dead? google: passwords are dead About 6,580,000 results (0.22 seconds) Can we stop using passwords? Muffett on Passwords has a long list of password related information, from the author of crack c license CC BY Solido Networks, Henrik Lund Kramshøj 69

71 Google looks to ditch passwords for good Google is currently running a pilot that uses a YubiKey cryptographic card developed by Yubico The YubiKey NEO can be tapped on an NFC-enabled smartphone, which reads an encrypted one-time password emitted from the key fob. Source: c license CC BY Solido Networks, Henrik Lund Kramshøj 71

72 Yubico Yubikey A Yubico OTP is unique sequence of characters generated every time the YubiKey button is touched. The Yubico OTP is comprised of a sequence of 32 Modhex characters representing information encrypted with a 128 bit AES-128 key c license CC BY Solido Networks, Henrik Lund Kramshøj 72

75 Integrate or develop? From previous slide: Conclusion passwords: integrate with authentication, not reinvent Dont: Do: Reinvent the wheel - too many times, unless you can maintain it afterwards Never invent cryptography yourself No copy paste of functionality, harder to maintain in the future Integrate with existing solutions Use existing well-tested code: cryptography, authentication, hashing Centralize security in your code Fine to hide which authentication framework is being used, easy to replace later c license CC BY Solido Networks, Henrik Lund Kramshøj 75

76 Cisco IOS password Title: Cisco s new password hashing scheme easily cracked Description: In an astonishing decision that has left crytographic experts scratching their heads, engineer s for Cisco s IOS operating system chose to switch to a one-time SHA256 encoding - without salt - for storing passwords on the device. This decision leaves password hashes vulnerable to high-speed cracking - modern graphics cards can compute over 2 billion SHA256 hashes in a second - and is actually considerably less secure than Cisco s previous implementation. As users cannot downgrade their version of IOS without a complete reinstall, and no fix is yet available, security experts are urging users to avoid upgrades to IOS version 15 at this time. Reference: via newsletter c license CC BY Solido Networks, Henrik Lund Kramshøj 76

81 John the ripper John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches. UNIX passwords kan knækkes med alec Muffets kendte Crack program eller eksempelvis John The Ripper Jeg bruger selv John The Ripper c license CC BY Solido Networks, Henrik Lund Kramshøj 81

83 Part II: What are the vulnerabilities and threats Hackers do not discriminate We have seen lots of hacker stories, and we learn: We are all targets of hacking Social Engineering rockz! Phishing works. Anyone can be hacked - resources used to protect vs attackers resources Hacking is not cool c license CC BY Solido Networks, Henrik Lund Kramshøj 83

84 Good security Efficiency good security little investment high gain bad security requires to many resources Ressource cost, time, money, administration You always have limited resources for protection - use them as best as possible c license CC BY Solido Networks, Henrik Lund Kramshøj 84

85 First advice Use technology Learn the technology - read the freaking manual Think about the data you have, upload, facebook license?! WTF! Think about the data you create - nude pictures taken, where will they show up? Turn off features you don t use Turn off network connections when not in use Update software and applications Turn on encryption: IMAPS, POP3S, HTTPS also for data at rest, full disk encryption, tablet encryption Lock devices automatically when not used for 10 minutes Dont trust fancy logins like fingerprint scanner or face recognition on cheap devices c license CC BY Solido Networks, Henrik Lund Kramshøj 85

86 First advice use the modern operating systems Newer versions of Microsoft Windows, Mac OS X and Linux Buffer overflow protection Stack protection, non-executable stack Heap protection, non-executable heap Randomization of parameters stack gap m.v. Note: these still have errors and bugs, but are better than older versions OpenBSD has shown the way in many cases Always try to make life worse and more costly for attackers c license CC BY Solido Networks, Henrik Lund Kramshøj 86

94 hashing algoritmer NIST announced a public competition in a Federal Register Notice on November 2, 2007 to develop a new cryptographic hash algorithm called SHA-3. The competition is NIST s response to advances made in the cryptanalysis of hash algorithms.... Based on the public comments and internal review of the candidates, NIST announced Keccak as the winner of the SHA-3 Cryptographic Hash Algorithm Competition on October 2, 2012, and ended the five-year competition. c license CC BY Solido Networks, Henrik Lund Kramshøj 94

113 Theft - kindergarten and airports Many parents are in a hurry when they are picking up their kids Many people can easily be distracted around crowds Many people let their laptops stay out in the open - even at conferences... making theft likely/easy Stolen for the value of the hardware - or for the data? Industrial espionage, economic espionage or corporate espionage is real c license CC BY Solido Networks, Henrik Lund Kramshøj 113

115 Duplicity What is it? Duplicity backs directories by producing encrypted tar-format volumes and uploading them to a remote or local file server. Because duplicity uses librsync, the incremental archives are space efficient and only record the parts of files that have changed since the last backup. Because duplicity uses GnuPG to encrypt and/or sign these archives, they will be safe from spying and/or modification by the server. duplicity home page The GNU Privacy Guard c license CC BY Solido Networks, Henrik Lund Kramshøj 115

140 HTTPS Everywhere HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. c license CC BY Solido Networks, Henrik Lund Kramshøj 140

141 CertPatrol - which site uses which certificate An add-on formerly considered paranoid: CertPatrol implements pinning for Firefox/Mozilla/SeaMonkey roughly as now recommended in the User Interface Guidelines of the World Wide Web Consortium (W3C). c license CC BY Solido Networks, Henrik Lund Kramshøj 141

151 Whonix Whonix is an operating system focused on anonymity, privacy and security. It s based on the Tor anonymity network[5], Debian GNU/Linux[6] and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user s real IP. https://www.whonix.org/ c license CC BY Solido Networks, Henrik Lund Kramshøj 151

172 Key findings 2011 Application-Layer DDoS Attacks Are Increasing in Sophistication and Operational Impact Mobile/Fixed Wireless Operators Are Facing Serious Challenges to Maintaining Availability in the Face of Attacks Firewalls and IPS Devices Are Falling Short on DDoS Protection DNS Has Broadly Emerged as an Attack Target and Enabler Lack of Visibility into and Control over IPv6 Traffic Is a Significant Challenge Chronic Underfunding of Operational Security Teams Operators Continue to Express Low Confidence in the Efficacy of Law Enforcement Operators Have Little Confidence in Government Efforts to Protect Critical Infrastructure Kilde: februar 2011 c license CC BY Solido Networks, Henrik Lund Kramshøj 172

179 buffer overflows is a C problem Et buffer overflow is what happens if some internal structure in programs are modified by an attacker for the purpose of taking control of the application and system. Often a program will crash, but if the attacker can input specific data it might be possible to point to their own shell code containing instructions to be executed. Stack protection today both a specific technique and generic term for adding protection to operating systems and programs to reduce the likelihood of buffer overflows succeeding. The main features are protecting areas in memory by making them nonwriteable and non-executable. StackGuard and Propolice are some popular choices c license CC BY Solido Networks, Henrik Lund Kramshøj 179

182 Exploits - exploiting vulnerabilities an exploit is a program designed to abuse some weakness or vulnerability Usually the expliot will demonstrate the weakness found, proof-of-concept (PoC) Usually the exploit will only include one vulnerability and is targeted at specific versions of the vulnerable program Exploits can be a few lines of code or multiple pages Used to be written using Perl and C, but today popular choices include Ruby and Python Can often be plugged into the Metasploit framework for direct execution c license CC BY Solido Networks, Henrik Lund Kramshøj 182

187 Principle of least privilege Why execute applications with administrative rights - if they only need to read from a database principle of least privilege execute code only with the most restrictive set of permissions required to perform a task c license CC BY Solido Networks, Henrik Lund Kramshøj 187

188 Privilege escalation privilege escalation is what an attacker aims to perform Trying to get from an authenticated user to a higher privileged administrative user id Some functions in operating systems require higher privileges, and they can sometimes be persuaded to fail in spectacular ways When an attacker can execute commands they can often find a way to exploit software and escalate privileges c license CC BY Solido Networks, Henrik Lund Kramshøj 188

189 local vs. remote exploits local vs. remote signifies if the specific attack exploited is done from the operating system using a local command/feature or if this is done remotely across some network connection remote root exploit - feared because it would grant administrative rights across a network connection More often an attacker will combine a remote exploit with a privilege escalation exploit zero-day exploits 0-days are not made public, but kept in small groups and suddenly can be found in use on the internet, or in specific use for a targeted attack Since nobody is aware of the problem, there is no fix readily available from the vendors/programmers c license CC BY Solido Networks, Henrik Lund Kramshøj 189

195 We must allow open hacker tools I 1993 skrev Dan Farmer og Wietse Venema artiklen Improving the Security of Your Site by Breaking Into it I 1995 udgav de softwarepakken SATAN Security Administrator Tool for Analyzing Networks We realize that SATAN is a two-edged sword - like many tools, it can be used for good and for evil purposes. We also realize that intruders (including wannabees) have much more capable (read intrusive) tools than offered with SATAN. Se og Kilde: c license CC BY Solido Networks, Henrik Lund Kramshøj 195

237 Burpsuite Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application s attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun. Burp suite indeholder både proxy, spider, scanner og andre værktøjer i samme pakke - NB: EUR 249 per user per year. c license CC BY Solido Networks, Henrik Lund Kramshøj 237

256 Balanced security good security bad security Security level Prod Test Dev Mail Web Prod Test Dev Mail Web Better to have the same level of security If you have bad security in some part - guess where attackers will end up Hackers are not required to take the hardest path into the network Realize there is no such thing as 100% security c license CC BY Solido Networks, Henrik Lund Kramshøj 256

257 Work together Team up! We need to share security information freely We often face the same threats, so we can work on solving these together c license CC BY Solido Networks, Henrik Lund Kramshøj 257

259 Fri adgang til hackerværktøjer I 1993 skrev Dan Farmer og Wietse Venema artiklen Improving the Security of Your Site by Breaking Into it I 1995 udgav de softwarepakken SATAN Security Administrator Tool for Analyzing Networks We realize that SATAN is a two-edged sword - like many tools, it can be used for good and for evil purposes. We also realize that intruders (including wannabees) have much more capable (read intrusive) tools than offered with SATAN. Se og Kilde: c license CC BY Solido Networks, Henrik Lund Kramshøj 259

260 How to become secure Dont use computers at all, data about you is still processed by computers :-( Dont use a single device for all types of data Dont use a single server for all types of data, mail server!= web server Configure systems to be secure by default, or change defaults Use secure protocols and VPN solutions Some advice can be found in these places c license CC BY Solido Networks, Henrik Lund Kramshøj 260

Sport for the elderly - Teenagers of the future Play the Game 2013 Aarhus, 29 October 2013 Ditte Toft Danish Institute for Sports Studies +45 3266 1037 ditte.toft@idan.dk A growing group in the population

1 how to save excel as pdf This guide will show you how to save your Excel workbook as PDF files. Before you do so, you may want to copy several sheets from several documents into one document. To do so,

SAS Corporate Program Website Dear user We have developed SAS Corporate Program Website to make the administration of your company's travel activities easier. You can read about it in this booklet, which

39 (104) The River Underground, Additional Work The River Underground Crosswords Across 1 Another word for "hard to cope with", "unendurable", "insufferable" (10) 5 Another word for "think", "believe",

Home page Lisa & Petur www.lisapetur.dk Help / Hjælp Help / Hjælp General The purpose of our Homepage is to allow external access to pictures and videos taken/made by the Gunnarsson family. The Association

The EAL Jobportal How to get started Be prepared Before you start You need to know the ID of your Uni login (WAYF login) You need a browser like Firefox, Safari, Google Chrome (or IE 9 or higher) You need

Danish Language Course for International University Students Copenhagen, 12 July 1 August 2017 Application form Must be completed on the computer in Danish or English All fields are mandatory PERSONLIGE

Are you hiring Newcomers? Newcomer Service offers free support You are welcome to contact Newcomer Service when you wish to: Forward information on life in Esbjerg to attract newcomers Receive advise on

Danish Language Course for Foreign University Students Copenhagen, 13 July 2 August 2016 Advanced, medium and beginner s level Application form Must be completed on the computer in Danish or English All

Fyrtårnet for international arbejdskraft og deres familier i Business Region Aarhus International Community er Netværket for udenlandske medarbejdere og deres medfølgende familier i Østjylland Serviceportalen

PR day 7 Image+identity+profile=branding A few definitions Public Relations is the planned and sustained effort to establish and maintain goodwill and understanding between an organisation and it s public.